batfish icon indicating copy to clipboard operation
batfish copied to clipboard
verified publisher icon batfish

In the case of IOS, Batfish crashes when executing Bi-directional Reachability to the IP address after NAT.

Open tokonish opened this issue 2 years ago • 5 comments

[Problem]

In the case of IOS, Batfish crashes when executing Bi-directional Reachability to the IP address after NAT.

[Topology]

コミュニティ報告用

dev3's NAT settings convert 10.0.12.1 to 20.0.12.1.

[Config] ※Minimum Config

dev1

hostname dev1
!
no ip domain lookup
!
interface GigabitEthernet0/1
 ip address 10.0.12.1 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.12.2
!
line con 0
 exec-timeout 300 0
 privilege level 15
 logging synchronous
 length 0
!
end

dev2

hostname dev2
!
no ip domain lookup
!
interface GigabitEthernet0/0
 ip address 10.0.12.2 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1
 ip address 10.0.23.2 255.255.255.0
 no shutdown
!
ip route 10.0.45.0 255.255.255.0 10.0.23.3
!
line con 0
 exec-timeout 300 0
 privilege level 15
 logging synchronous
 length 0
!
end

dev3

hostname dev3
!
no ip domain lookup
!
interface GigabitEthernet0/0
 ip address 10.0.23.3 255.255.255.0
 ip nat inside
 no shutdown
!
interface GigabitEthernet0/1
 ip address 10.0.34.3 255.255.255.0
 ip nat outside
 no shutdown
!
ip nat inside source static 10.0.12.1 20.0.12.1
!
ip route 10.0.12.0 255.255.255.0 10.0.23.2
ip route 10.0.45.0 255.255.255.0 10.0.34.4
!
line con 0
 exec-timeout 300 0
 privilege level 15
 logging synchronous
 length 0
!
end

dev4

hostname dev4
!
no ip domain lookup
!
interface GigabitEthernet0/0
 ip address 10.0.34.4 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1
 ip address 10.0.45.4 255.255.255.0
 no shutdown
!
ip route 20.0.12.0 255.255.255.0 10.0.34.3
!
line con 0
 exec-timeout 300 0
 privilege level 15
 logging synchronous
 length 0
!
end

dev5

hostname dev5
!
no ip domain lookup
!
interface GigabitEthernet0/0
 ip address 10.0.45.5 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.45.4
!
line con 0
 exec-timeout 300 0
 privilege level 15
 logging synchronous
 length 0
!
end

[Result] Bi-directional Reachability Forward

ACCEPTED
1. node: dev01
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet0/0 with resolved next-hop IP: 10.0.12.2, Routes: [static (Network: 0.0.0.0/0, Next Hop: ip 10.0.12.2)])
  TRANSMITTED(GigabitEthernet0/0)
2. node: dev02
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet0/1 with resolved next-hop IP: 10.0.23.3, Routes: [static (Network: 10.0.45.0/24, Next Hop: ip 10.0.23.3)])
  TRANSMITTED(GigabitEthernet0/1)
3. node: dev03
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet0/1 with resolved next-hop IP: 10.0.34.4, Routes: [static (Network: 10.0.45.0/24, Next Hop: ip 10.0.34.4)])
  TRANSFORMED(SOURCE_NAT srcIp: 10.0.12.1 -> 20.0.12.1)
  SETUP_SESSION(Incoming Interfaces: [GigabitEthernet0/1], Action: PostNatFibLookup, Match Criteria: [ipProtocol=ICMP, srcIp=10.0.45.5, dstIp=20.0.12.1], Transformation: [dstIp: 20.0.12.1 -> 10.0.12.1])
  TRANSMITTED(GigabitEthernet0/1)
4. node: dev04
  RECEIVED(GigabitEthernet0/1)
  FORWARDED(Forwarded out interface: GigabitEthernet0/0, Routes: [connected (Network: 10.0.45.0/24, Next Hop: interface GigabitEthernet0/0)])
  TRANSMITTED(GigabitEthernet0/0)
5. node: dev05
  RECEIVED(GigabitEthernet0/0)
  ACCEPTED(GigabitEthernet0/0)

Bi-directional Reachability Reverse

ACCEPTED
1. node: dev05
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet0/0 with resolved next-hop IP: 10.0.45.4, Routes: [static (Network: 0.0.0.0/0, Next Hop: ip 10.0.45.4)])
  TRANSMITTED(GigabitEthernet0/0)
2. node: dev04
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet0/1 with resolved next-hop IP: 10.0.34.3, Routes: [static (Network: 20.0.12.0/24, Next Hop: ip 10.0.34.3)])
  TRANSMITTED(GigabitEthernet0/1)
3. node: dev03
  RECEIVED(GigabitEthernet0/1)
  MATCHED_SESSION(Incoming Interfaces: [GigabitEthernet0/1], Action: PostNatFibLookup, Match Criteria: [ipProtocol=ICMP, srcIp=10.0.45.5, dstIp=20.0.12.1], Transformation: [dstIp: 20.0.12.1 -> 10.0.12.1])
  TRANSFORMED(DEST_NAT dstIp: 20.0.12.1 -> 10.0.12.1)
  FORWARDED(Forwarded out interface: GigabitEthernet0/0 with resolved next-hop IP: 10.0.23.2, Routes: [static (Network: 10.0.12.0/24, Next Hop: ip 10.0.23.2)])
  TRANSMITTED(GigabitEthernet0/0)
4. node: dev02
  RECEIVED(GigabitEthernet0/1)
  FORWARDED(Forwarded out interface: GigabitEthernet0/0, Routes: [connected (Network: 10.0.12.0/24, Next Hop: interface GigabitEthernet0/0)])
  TRANSMITTED(GigabitEthernet0/0)
5. node: dev01
  RECEIVED(GigabitEthernet0/0)
  ACCEPTED(GigabitEthernet0/0)

Bi-directional Reachability(dev5->dev1)

Traceback (most recent call last):
  File "/root/development/testQuestion/./questions.py", line 380, in <module>
    main(args)
  File "/root/development/testQuestion/./questions.py", line 32, in main
    args.handler(args, logger)
  File "/root/development/testQuestion/./questions.py", line 275, in command_bireachability
    returnFlowType='SUCCESS').answer().frame()
  File "/root/development/testQuestion/venv/lib/python3.10/site-packages/pybatfish/question/question.py", line 192, in answer
    return _bf_answer_obj(
  File "/root/development/testQuestion/venv/lib/python3.10/site-packages/pybatfish/client/internal.py", line 60, in _bf_answer_obj
    workhelper.execute(work_item, session, background, extra_args)
  File "/root/development/testQuestion/venv/lib/python3.10/site-packages/pybatfish/client/workhelper.py", line 140, in execute
    raise BatfishException(
pybatfish.exception.BatfishException: Work terminated abnormally
work_item: {"containerName": "Mobills", "id": "5d649c02-7915-457e-be28-004f84d123b9", "requestParams": {"answer": "", "questionname": "__bidirectionalReachability_05c6a631-db91-4452-8f56-eb39156a078e", "testrig": "SrcNAT_IOS_BiReach"}, "testrigName": "SrcNAT_IOS_BiReach"}

In the case of IOS, Batfish crashes when executing Bi-directional Reachability from 10.0.45.5 to 20.0.12.1 after NAT.

tokonish avatar Oct 31 '23 02:10 tokonish

Cc: @anothermattbrown

Can you attach server-side logs (docker logs) to this issue?

ratulm avatar Nov 03 '23 02:11 ratulm

Hi, I tried this out and did not have any issues. Can you post more about the network you're using? Here's mine: https://gist.github.com/dhalperi/2db8b46ebff98eb4d3fbb97aed823af3

dhalperi avatar Nov 04 '23 01:11 dhalperi

Hello, thank you for your reply. This problem occurs when checking with Bi-direactional Reachability instead of Bi-direactional Traceroute.

Please confirm.

logs↓ ・8859log.txt ipynb(pdf converted)↓ ・8859_.pdf

tokonish avatar Nov 07 '23 03:11 tokonish

Thanks for that repro. After fixing a few bugs (srcIps, not scIps) I ran this query:

bf.q.bidirectionalReachability(
    pathConstraints=PathConstraints(startLocation='dev5'),
    headers=HeaderConstraints(srcIps= '10.0.45.5', dstIps='20.0.12.1', srcPorts='32875', dstPorts='22')
).answer().frame()

and got

Caused by: java.lang.UnsupportedOperationException: Reachability does not yet support PreNatFibLookup

That checks out.

dhalperi avatar Nov 13 '23 23:11 dhalperi

Logging Slack discussion with @anothermattbrown :

actually I think at this point we should have all the pieces we need I think this is a 1 or 2 dayer we just need to use BDDFibGenerator, apply the NAT on all the out-edges (presumably all? I’d have to double-check the concrete impl) and stitch it back together. Not too different from what we do in other cases

dhalperi avatar Nov 18 '23 20:11 dhalperi